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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE MONTH(S) FROM 

THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 
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- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S. C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)^ Responsive to communication(s) filed on 14 July 2000 . 
2a)D This action is FINAL. 2b)S This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
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4) E3 Claim(s) 1-20 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1-20 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10)E3 The drawing(s) filed on 14 July 2001 is/are: a)E3 accepted or b)Q objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 !)□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 
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application from the International Bureau (PCT Rule 17.2(a)). 
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DETAILED ACTION 

Claims 1-20 have been reviewed. 

Claim Objections 

5 Claim 9 is objected to because of the following informalities: the claim mentions "step (a)" but no 

reference is given as to what this step refers to. The examiner assumes the applicant is referring to claim 
1, part (a). Appropriate correction or clarification is required. 

Claim Rejections - 35 USC § 102 
10 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for 

the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
15 States. 

Claims 1-7 and 10-19 are rejected under 35 U.S.C. 102(b) as being unpatentable by Chambers, 
U.S. Patent No. 5,398,196. 

20 As per claims 1,10,11,12, and 14, the applicant discloses the following method of detecting viral 

code which is anticipated by Chambers: 

a) creating an artificial memory region spanning one or more components of the operating system 
(Col 7, lines 63-68; Col 8, lines 1-2); 

b) emulating execution of computer executable code in a subject file (Col 3, lines 42-45); 
25 c) detecting when the emulated computer executable code attempts to access the artificial 

memory region (Col 7, lines 63-68; Col 8, lines 1-2); 

The applicant should note that the use of a processor is an additional limitation for claim 11. This 
limitation is met by Chambers (see Col 4, line 61). 
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As per claim 2, the applicant discloses the method of claim 1, which is met by Chambers (see 
above), with the following limitation which is also met by Chambers: 

Wherein detecting when the emulated computer executable code attempts to access the artificial 
memory region comprises monitoring operating system calls by the emulated computer executable code 
5 (Col 6, line 68; Col 7, lines 1-15). 

As per claim 3, the applicant discloses the method of claim 1, which is met by Chambers (see 
above), with the following limitations which are also met by Chambers: 

a) determining an operating system call that the emulated computer executable code attempted 
10 to access (Col 9, lines 13-25; Col 9, lines 44-54); 

b) monitoring the operating system call to determine whether the computer executable code is 
viral (Col 9, lines 13-25; Col 9, lines 44-54). 

The applicant should note that the operating system call is the attempt to gain access to an 
operating system entry point. Through emulation of an interrupt handler routine, the method is able to 
1 5 monitor whether a virus is present. 

As per claims 4 and 16, the applicant discloses the method of claim 1, which is met by Chambers 
(see above), with the following limitations which are also met by Chambers: 

a) determining an operating system call that the emulated computer executable code attempted 
20 to access (Col 9, lines 13-25; Col 9, lines 44-54); 

b) emulating functionality of the operating system call while monitoring the operating system call 
to determine whether the computer executable code is viral (Col 9, lines 13-25; Col 9, lines 44-54); 

The applicant should note that the operating system call is the attempt to gain access to an 
operating system entry point. Through emulation of an interrupt handler routine, the method is able to 
25 monitor whether a virus is present. 
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As per claims 5 and 1 7, the applicant discloses the method of claim 1 , which is met by Chambers 
(see above), with the following limitation which is also met by Chambers: 

Further comprising monitoring accesses by the emulated computer executable code to the 
artificial memory region to detect looping (Col 10, lines 40-43); 

Applicant should note that looping is synonymous with the virus' "replicative behavior" (Col 10, 

line 43). 

As per claims 6 and 18, the applicant discloses the method of claim 1, which is met by Chambers 
(see above), with the following limitation which is also met by Chambers: 

Wherein the artificial memory region spans an export table of one or more predetermined 
operating system components (Col 9, lines 13-25; Col 9, lines 44-54); 

The applicant should note that the export table of operating system components is represented 
by a "list of operating system entry points" (Col 9, lines 21-22). 

As per claims 7 and 19, the applicant discloses the method of claim 1, which is met by Chambers 
(see above), with the following limitation which is also met by Chambers: 

Wherein creating an artificial memory region includes creating a custom version of an export table 
with predetermined values for the entry points (Col 9, lines 13-25; Col 9, lines 44-54); 

As per claims 13 and 15, the applicant discloses the method of claims 12 and 14 respectively, 
which are met by Chambers (see above), with the following limitations which are also met by Chambers: 

a) a fourth segment comprising auxiliary code, wherein the auxiliary code determines an 
operating system call that the emulated computer executable code attempted to access (Col 9, lines 13- 
25; Col 9, lines 44-54); 

b) a fifth segment comprising analyzer code, wherein the analyzer code monitors the operating 
system call to determine whether the computer executable code is viral, while emulation continues (Col 9, 
lines 13-25; Col 9, lines 44-54); 



Application/Control Number: 09/905,532 Page 5 

Art Unit: 2137 

The applicant should note that the monitor described in the passages listed for a) and b) above 
could be deemed as auxiliary or analyzer code. The operating system call is the attempt to gain access 
to an operating system entry point. 

5 Claim Rejections -35 USC §103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 

rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
1 0 the prior art are such that the subject matter as a whole would have been obvious at the time the 

invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 8,9, and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Chambers in 

15 further view of Golan, U.S. Patent No. 5,974,549. 

As per claim 8, the applicant describes the method of claim 1, which is anticipated by Chambers 
(see above), with the following limitation which is anticipated by Golan: 

Further comprising monitoring access by the emulated computer executable code to dynamically 
20 linked functions (Col 6, lines 6-12; Col 5, lines 60-63); 

Chambers describes all the limitations of claim 1, the independent claim. However, Chambers 
fails to disclose anything concerning dynamically linked functions. Golan describes a security monitor 
method whereby access to dynamically linked functions is regulated because, as Golan discloses, "in an 
operating system that supports virtual memory and hardware abstraction, a software component can only 
25 breach security by calling a system call" (Col 5, lines 38-41). It would have been obvious to one of 

ordinary skill in that art at the time the invention was filed to have combined the teachings of Chambers 
with those of Golan and monitor access to dynamically linked functions because requesting access to 
dynamically linked functions could be an attempt to breach security. 
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As per claim 9, the applicant discloses the method of claim 8, which is met by Chambers in 
further view of Golan (see above), with the following limitation which is met by Golan: 

Wherein the artificial memory region created in step (a) spans a jump table containing pointers to 
the dynamically linked functions (Col 7, lines 31-35); 
5 Chambers in further view of Golan describes all the limitations of claim 8. Golan describes the 

additional limitation of a jump table containing pointers to the dynamically linked functions. The jump 
table is often incorporated with dynamically linked functions to store the actual addresses of the 
dynamically linked functions. It would have been obvious to one of ordinary skill in the art at the time in 
the invention was filed to have included a jump table with the method so that there could be a way of 
1 0 storing the actual addresses of the dynamically linked functions. 



As per claim 20, the applicant discloses the method of claim 14, which is met by Chambers (see 
above), with the following limitation which is met by Golan: 

Wherein the artificial memory region created by the memory manager component spans a jump 
15 table containing pointers to dynamically linked functions, and the monitor component monitors access by 
the emulated computer executable code to the dynamically linked functions; 

The claim is met by the combination of claims 8 and 9. Explanations for claim 8 and 9 rejections 
are listed above. 



Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Kevin Schubert whose telephone number is (571) 272-4239. The examiner can normally 
be reached on M-F 8:00-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
25 Andrew Caldwell can be reached on (571) 272-3868. The fax phone number for the organization where 
this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
5 you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). 




